Re: Have I been hacked?
On Fri 09 Jan 2015 at 21:19:41 -0500, Jerry Stuckle wrote:
> On 1/9/2015 8:49 PM, Joel Rees wrote:
>
> > SSH keys are useful, but you have to keep them somewhere. The real
> > danger to good passwords is the off-line attempts, and the passphrase
> > you use for your private keystore is potentially subject to off-line
> > if your password is.
> >
>
> Yes, keys may actually be less secure than passwords.
That's an an interesting line of enquiry! An administrator who enforces
a log in with keys knows exactly what the server will accept in terms of
authentication for *all* users. What he does not know is the level of
security which the user has placed on the key with the passphrase.
Furthermore, he has no technical way of ensuring the passphrase is
sufficiently strong or that the private key is not left lying about on
various machines to be probed at someone's leisure.
Another interesting aspect is that public-key authentication support by
ssh was not introduced as a response to any perceived general weakness
in a login with a password. SSH, The Secure Shell: The Definitive Guide
cites the single password per account as inconvenient (a new password
must be communicated to everyone with access to the account) and
accountabilty of access as reasons.
Granted, the same book also says passwords can be captured on a
compomised host. But if the host is compromised the administrator has
quite big problems elsewhere.
By all means advocate and use ssh keys. But at least provide some
substantial reason for spurning password login for that particular
situation. A blanket "don't use passwords" or "keys are better" doesn't
cut it.
Reply to: